Vulnerabilities > CVE-2022-30562 - Open Redirect vulnerability in Dahuasecurity products

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

high complexity

dahuasecurity

CWE-601

NVD

Published: 2022-06-28

Updated: 2022-07-13

Summary

If the user enables the https function on the device, an attacker can modify the user’s request data packet through a man-in-the-middle attack ,Injection of a malicious URL in the Host: header of the HTTP Request results in a 302 redirect to an attacker-controlled page.

Vulnerable Configurations

Part	Description	Count
OS	Dahuasecurity Dahuasecurity IPC Hdbw2431E S S2 Firmware - Dahuasecurity IPC Hdbw2831E S S2 Firmware - Dahuasecurity IPC Hdbw2230E S S2 Firmware - Dahuasecurity IPC Hdbw2831R ZS S2 Firmware - Dahuasecurity IPC Hdbw2831R ZAS S2 Firmware - Dahuasecurity IPC Hdbw2531R ZS S2 Firmware - Dahuasecurity IPC Hdbw2531R ZAS S2 Firmware - Dahuasecurity IPC Hdbw2531E S S2 Firmware - Dahuasecurity IPC Hdbw2431R ZS S2 Firmware - Dahuasecurity IPC Hdbw2431R ZAS S2 Firmware - Dahuasecurity IPC Hdbw2231F AS S2 Firmware - Dahuasecurity IPC Hdbw2231E S S2 Firmware - Dahuasecurity IPC Hdbw2231R ZS S2 Firmware - Dahuasecurity IPC Hdbw2231R ZAS S2 Firmware - Dahuasecurity IPC Hfw2231M AS I2 B S2 Firmware - Dahuasecurity IPC Hfw2231T AS S2 Firmware - Dahuasecurity IPC Hfw2231S S S2 Firmware - Dahuasecurity IPC Hfw2231T ZS S2 Firmware - Dahuasecurity IPC Hfw2231T ZAS S2 Firmware - Dahuasecurity IPC Hfw2230S S S2 Firmware - Dahuasecurity IPC Hfw2431T AS S2 Firmware - Dahuasecurity IPC Hfw2431T ZS S2 Firmware - Dahuasecurity IPC Hfw2431T ZAS S2 Firmware - Dahuasecurity IPC Hfw2431S S S2 Firmware - Dahuasecurity IPC Hfw2531T AS S2 Firmware - Dahuasecurity IPC Hfw2531T ZS S2 Firmware - Dahuasecurity IPC Hfw2531T ZAS S2 Firmware - Dahuasecurity IPC Hfw2531S S S2 Firmware - Dahuasecurity IPC Hfw2831T AS S2 Firmware - Dahuasecurity IPC Hfw2831T ZS S2 Firmware - Dahuasecurity IPC Hfw2831T ZAS S2 Firmware - Dahuasecurity IPC Hfw2831S S S2 Firmware - Dahuasecurity IPC Hfw2439M AS LED B S2 Firmware - Dahuasecurity IPC Hfw2239M AS LED B S2 Firmware - Dahuasecurity IPC Hfw2439S SA LED S2 Firmware - Dahuasecurity IPC Hfw2239S SA LED S2 Firmware - Dahuasecurity Asi7213X T1 Firmware - Dahuasecurity Asi7223X A T1 Firmware - Dahuasecurity Asi7223X A Firmware - Dahuasecurity Asi7213X Firmware -	40
Hardware	Dahuasecurity Dahuasecurity IPC Hdbw2431E S S2 - Dahuasecurity IPC Hdbw2831E S S2 - Dahuasecurity IPC Hdbw2230E S S2 - Dahuasecurity IPC Hdbw2831R ZS S2 - Dahuasecurity IPC Hdbw2831R ZAS S2 - Dahuasecurity IPC Hdbw2531R ZS S2 - Dahuasecurity IPC Hdbw2531R ZAS S2 - Dahuasecurity IPC Hdbw2531E S S2 - Dahuasecurity IPC Hdbw2431R ZS S2 - Dahuasecurity IPC Hdbw2431R ZAS S2 - Dahuasecurity IPC Hdbw2231F AS S2 - Dahuasecurity IPC Hdbw2231E S S2 - Dahuasecurity IPC Hdbw2231R ZS S2 - Dahuasecurity IPC Hdbw2231R ZAS S2 - Dahuasecurity IPC Hfw2231M AS I2 B S2 - Dahuasecurity IPC Hfw2231T AS S2 - Dahuasecurity IPC Hfw2231S S S2 - Dahuasecurity IPC Hfw2231T ZS S2 - Dahuasecurity IPC Hfw2231T ZAS S2 - Dahuasecurity IPC Hfw2230S S S2 - Dahuasecurity IPC Hfw2431T AS S2 - Dahuasecurity IPC Hfw2431T ZS S2 - Dahuasecurity IPC Hfw2431T ZAS S2 - Dahuasecurity IPC Hfw2431S S S2 - Dahuasecurity IPC Hfw2531T AS S2 - Dahuasecurity IPC Hfw2531T ZS S2 - Dahuasecurity IPC Hfw2531T ZAS S2 - Dahuasecurity IPC Hfw2531S S S2 - Dahuasecurity IPC Hfw2831T AS S2 - Dahuasecurity IPC Hfw2831T ZS S2 - Dahuasecurity IPC Hfw2831T ZAS S2 - Dahuasecurity IPC Hfw2831S S S2 - Dahuasecurity IPC Hfw2439M AS LED B S2 - Dahuasecurity IPC Hfw2239M AS LED B S2 - Dahuasecurity IPC Hfw2439S SA LED S2 - Dahuasecurity IPC Hfw2239S SA LED S2 - Dahuasecurity Asi7213X T1 - Dahuasecurity Asi7223X A T1 - Dahuasecurity Asi7223X A - Dahuasecurity Asi7213X -	40

Common Weakness Enumeration (CWE)

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Common Attack Pattern Enumeration and Classification (CAPEC)

Fake the Source of Data
An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

References

https://www.dahuasecurity.com/support/cybersecurity/details/1017